With cyber attacks on the rise and upcoming regulations on cyber security, we find it more important than ever to strengthen the weakest link for implementing security measures: the human factor. There are numerous formats and solutions for learning more about cyber security, such as trainings, hackathons and online courses. What we have found is that some of the most effective learning methods in general are gamification and team learning.
Gamification is the application of game design principles to the learning process. For instance, rewarding accomplishments or incorporating competition makes players more engaged. Team learning on the other hand is a collaborative effort to acquire knowledge on a new topic.
We recently started a new knowledge sharing format, based on gamification and team learning. The goal is to share our Security Expert Team’s know-how with all engineering teams. Through hands-on experience with cracking passwords, breaking RSA keys1 and bypassing authentication, participants become aware and empowered to double check their systems for security concerns, rather than relying solely on a security expert’s review.
A learning session consists of a 15- to 20-minute presentation, followed by 40-45 minutes for solving challenges in teams of 3 to 4 people. The teams self-organize and can ask the security expert questions. Each session includes several sets of challenges ranging from easy to difficult. This means participants need no prior knowledge of the topic, but still have a challenge when they do. Solving a challenge serves a dual purpose: first, the participant has a sense of accomplishment by successfully applying their new knowledge, and second, an insight into how a hacker gains access to sensitive data.
So far, we have run 4 sessions with more to come. The presentation slides and challenges are publicly available in our GitHub repository: https://github.com/neXenio/hacking-adventures
More Gamification and Team Learning
We use the same format to share knowledge about Machine Learning – from Decision Trees over Linear Regression to Neural Networks and Deep Learning. While we do not make the materials for these sessions publicly available, there are other excellent learning resources at https://github.com/alexeygrigorev/mlbookcamp-code
Further learning formats drawing from gamification include Security Awareness Trainings and Capture the Flag (CTF) Events. Security Awareness Trainings usually involve individual activities and do not go into much technical depth. However, they are relevant and accessible to non-technical staff as well. CTF events are typically conducted with teams of up to 5. Having a technical background is useful, but many challenges can be solved without any code. A popular option for running a CTF event is to self-host the OWASP Juice Shop. Alternately companies like Snyk host events open to all from time to time – perhaps we’ll see you there!
1 even without quantum computers!